If you’re reading this article, it’s likely that you’re hoping for quick tips on what to do if you suspect there’s spyware or a tracker on your phone. If that is the case, you’re likely to be disappointed; there are no quick lists of things to identify or remove to make you safe again. But that doesn’t mean there is nothing you can do. While it will require a determined effort, the good news is that you can make your devices more resilient against a wide variety of different security threats including spyware.
Increasing complexity = no quick fix
If you’re wondering why there is no quick fix, a brief look into the past can give the answer. As the popular maxim goes: “History doesn’t repeat itself but it often rhymes.” In technology, as in so many areas of life, we often see recurring patterns of threats. But there’s always a twist, as the underlying technology evolves. Such is the case with spyware and other threats on mobile phones.
Desktop computers have had malware for many decades, and those threats changed over time. Early malware was both simple and so rare as to be popularly considered an “urban legend”; the entire instruction set for finding and removing all known malicious code used to fit on a floppy disk, and this only needed to be updated for new threats on a quarterly basis. Now, anti-malware products find and remove so many threats that counts cease to have practical meaning, and updates for new threats must be delivered well-nigh constantly. As a result, where we could once say, “look for A, B or C files to see if you’re infected”, or “do X, Y and Z to clear your device”, now we can’t realistically give such simplistic advice.
Likewise, threats targeting mobile phones have grown in both quantity and complexity. Where we used to be able to give a short list of things to look for to see if you’ve been affected by specific malware programs, that’s no longer realistic. If you’re reading this because you think someone might have installed spyware on your phone, it’s probably best to proceed as if your suspicions are correct.
Mobile phones, aka “the computer in your hand”
As we moved from the early days where threats were few and new ones appeared infrequently, to the present situation of having a practically uncountable number of threats, malware researchers tried to find some way to help people figure out which threats are of greatest concern. One such method was to include a rating for the “severity” of the threat, meaning how much potential there was for harm to an affected user. In one threat-rating model, spyware and backdoors were considered to have “infinite” damage potential because there was almost no limit to how much harm attackers could cause if they could quietly sit on your machine and passively watch your every action or manipulate your computer as if they were sitting at your desk.
Now most of us carry powerful computers with us wherever we go, and those computers are equipped with receivers that identify our location at all times. As a result, someone who’s watching us on our phones has even more capability to monitor our activities, as our computers are likely within arm’s reach all day and night.
Time to get thorough
Rather than trying to scare you with my previous description of the damage that could be done, I’m hoping historical context will give you an idea of the sort of changes that will need to be made if you believe you’re being tracked.
If you’ve ever had to go through the process of replacing a stolen credit card, or of changing your legal name for marriage, you’ll have a good sense of how much it can help to sit down and create an exhaustive list before proceeding. In order to do that with a clear head, you will need to get yourself out of harm’s way first.
If you suspect your device is being tracked, you must consider the affected device “untrusted” from here on out, as even restoring it to factory settings may not completely clear a tracker. The microphone or camera functionality of your phone may be in use by the tracker, so be mindful of what is happening around your device. As unintuitive as this may sound, you may not want to power your phone off, as this may compromise data or evidence on your phone. Do turn off network connectivity immediately; put the device in Airplane Mode, and make sure this has disabled Wi-Fi and Bluetooth connectivity as well.
In order to preserve evidence or have an expert check your device, you’ll need to act promptly and carefully, as there are still ways malware could affect data stored on your device, even without access to a network connection. Put your phone out of earshot, and leave it there while you get to a safe place. When you are ready to forward your phone to an expert, put it into a Faraday Bag before interacting with it again.
“Keep in mind that SMS text messages are not encrypted”
While it certainly doesn’t hurt to ask for help from local law enforcement, know that even major cities may not have the expertise or the bandwidth to investigate compromised mobile devices. The most important objective is to take steps to make sure you’re safe. Ask for help, but do not wait for others to help you.
Once you are out of physical proximity of the mobile device being tracked, you can begin to take a more thorough assessment of your situation and start bolstering your defenses.
While it is entirely possible that any tracking is limited to one device, it’s a good idea to check any desktop, laptop, tablet, or cellphones that you use. Keep potentially-compromised devices out of your safe space so that they cannot report this location to the person tracking you. If you’ve forwarded your mobile device to an expert for analysis, they may also need you to provide access to these additional devices.
Once you determine that devices are safe, you should bolster your overall security precautions. Make sure you have updated security software including anti-malware and firewall functionality. Update your software including your operating system, Internet browsers and plugins. Change your passwords: choose ones that are strong, memorable and unique for each device and account. Do not re-use passwords for different accounts or devices. Going forward, once you have determined that your devices are clean, you may decide to encrypt data stored on your devices and communications sent over the network, such as via email or instant messaging. Keep in mind that SMS text messages are not encrypted.
Check online accounts and services
Most of us use our phones to access a variety of online resources; this may include online banking, social media, online review sites, etc. Many sites will allow you to de-authorize devices: if that option is available, remove the compromised devices.
Now is a good time to improve security for every account you have accessed on your phone and any other affected devices. Delete accounts you no longer use. Once again, change your passwords, and make sure your choices are strong, memorable and unique. Wherever it’s available, enable two-factor authentication but do not send keys via SMS, or to email accounts that are linked to devices that are being tracked, as this will mean your attacker can use also use these keys to access your accounts. You should also set up login notification, so that you will be alerted if unauthorized devices try to get into your accounts.
If you’re in the habit of taking regular backups, you might be inclined to start pulling files from your online or offline backup sources. As it can be hard to know at what point tracking began, it is safer to assume that backups are compromised, especially if the backup was accessible to a device you suspect has been tracked. If you want to recover your valid data files while leaving suspicious files behind, you may need to employ an expert.
Until you can be fairly certain that your situation is resolved, you may want to get a temporary, prepaid “burner” phone that is limited to emergency contacts. Do not log onto online accounts or services from this device, and do not contact anyone who might give the number to the person you suspect is tracking you.
“You should also set up login notification, so that you will be alerted if unauthorized devices try to get into your accounts”
Any other steps you might need to take will depend on who is tracking you: for example, if you live in the same house with the person, you’ll need to get yourself to a safe location as soon as possible. Once you’ve extricated yourself from immediate danger, there are a number of other things you can and should do to protect yourself. If the person tracking you is an acquaintance or someone entirely unknown to you, they may be more interested in your assets, or in your absence from a location rather than your presence.
When you’re ready to get a new phone, be sure to secure it well. Set a password to lock your device, rather than a less-secure numeric PIN or pattern-lock. Install a mobile security product, if you’re using an Android device. You may want to set your device to automatically install updates, so they’re applied promptly. You can also set your device to only allow the installation of apps from reputable app stores, but your caution should not end there: be judicious about checking that apps are well (and positively) reviewed, and consider if the permissions it’s requesting seem reasonable for the purpose of the software. And finally, be vigilant about clicking links in email – it’s better to err on the side of typing a website directly into your browser rather than clicking a link that may send you somewhere unexpected and potentially dangerous.
Each situation is different, and your specific needs will necessarily vary. You should consider consulting with a lawyer or a social worker, who can help you make a thorough plan to keep yourself safe.
Author Lysa Myers, ESET